X-Git-Url: http://de.git.xonotic.org/?p=xonotic%2Fd0_blind_id.git;a=blobdiff_plain;f=d0_blind_id.c;h=b9989cec5aff1e94866e2a7cf5d4504bc28131ce;hp=52cd405cc0ddbb10c84c0d21386d655860c98b62;hb=0d3d1f2655901776b2fc3e911eb78478412f789a;hpb=754d6430131e6845d7d0a6130b31305bb5f895f1 diff --git a/d0_blind_id.c b/d0_blind_id.c index 52cd405..b9989ce 100644 --- a/d0_blind_id.c +++ b/d0_blind_id.c @@ -120,6 +120,7 @@ static void *tempmutex = NULL; // hold this mutex when using temp0 to temp4 D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_INITIALIZE(void) { USINGTEMPS(); + d0_initfuncs(); tempmutex = d0_createmutex(); LOCKTEMPS(); CHECK(d0_bignum_INITIALIZE()); @@ -228,9 +229,8 @@ static D0_BOOL d0_rsa_generate_key(size_t size, d0_blind_id_t *ctx) CHECK(d0_bignum_gcd(temp4, NULL, NULL, temp2, ctx->rsa_e)); if(!d0_bignum_cmp(temp4, one)) break; - if(++gcdfail == 3) + if(++gcdfail == 16) goto fail; - ++gcdfail; } UNLOCKTEMPS(); @@ -242,7 +242,7 @@ static D0_BOOL d0_rsa_generate_key(size_t size, d0_blind_id_t *ctx) if(!d0_bignum_cmp(temp1, ctx->rsa_d)) { UNLOCKTEMPS(); - if(++fail == 3) + if(++fail == 16) goto fail; continue; } @@ -260,9 +260,8 @@ static D0_BOOL d0_rsa_generate_key(size_t size, d0_blind_id_t *ctx) break; } UNLOCKTEMPS(); - if(++gcdfail == 3) + if(++gcdfail == 16) goto fail; - ++gcdfail; } // ctx->rsa_n = ctx->rsa_d*temp1 @@ -270,8 +269,8 @@ static D0_BOOL d0_rsa_generate_key(size_t size, d0_blind_id_t *ctx) // ctx->rsa_d = ctx->rsa_e^-1 mod (ctx->rsa_d-1)(temp1-1) CHECK(d0_bignum_sub(temp2, ctx->rsa_d, one)); // we can't reuse the value from above because temps were unlocked - CHECK(d0_bignum_mul(temp0, temp2, temp3)); - CHECK(d0_bignum_mod_inv(ctx->rsa_d, ctx->rsa_e, temp0)); + CHECK(d0_bignum_mul(temp1, temp2, temp3)); + CHECK(d0_bignum_mod_inv(ctx->rsa_d, ctx->rsa_e, temp1)); UNLOCKTEMPS(); return 1; fail: @@ -306,9 +305,8 @@ static D0_BOOL d0_rsa_generate_key_fastreject(size_t size, d0_fastreject_functio CHECK(d0_bignum_gcd(temp4, NULL, NULL, temp2, ctx->rsa_e)); if(!d0_bignum_cmp(temp4, one)) break; - if(++gcdfail == 3) + if(++gcdfail == 16) return 0; - ++gcdfail; } UNLOCKTEMPS(); @@ -320,7 +318,7 @@ static D0_BOOL d0_rsa_generate_key_fastreject(size_t size, d0_fastreject_functio if(!d0_bignum_cmp(temp1, ctx->rsa_d)) { UNLOCKTEMPS(); - if(++fail == 3) + if(++fail == 16) return 0; continue; } @@ -347,15 +345,14 @@ static D0_BOOL d0_rsa_generate_key_fastreject(size_t size, d0_fastreject_functio break; } UNLOCKTEMPS(); - if(++gcdfail == 3) + if(++gcdfail == 16) return 0; - ++gcdfail; } // ctx->rsa_d = ctx->rsa_e^-1 mod (ctx->rsa_d-1)(temp1-1) CHECK(d0_bignum_sub(temp2, ctx->rsa_d, one)); // we can't reuse the value from above because temps were unlocked - CHECK(d0_bignum_mul(ctx->rsa_d, temp2, temp3)); - CHECK(d0_bignum_mod_inv(ctx->rsa_d, ctx->rsa_e, temp0)); + CHECK(d0_bignum_mul(temp1, temp2, temp3)); + CHECK(d0_bignum_mod_inv(ctx->rsa_d, ctx->rsa_e, temp1)); UNLOCKTEMPS(); return 1; fail: @@ -384,7 +381,7 @@ D0_WARN_UNUSED_RESULT D0_BOOL d0_longhash_destructive(unsigned char *convbuf, si D0_WARN_UNUSED_RESULT D0_BOOL d0_longhash_bignum(const d0_bignum_t *in, unsigned char *outbuf, size_t outbuflen) { - static __thread unsigned char convbuf[1024]; + unsigned char convbuf[1024]; size_t sz; CHECK(d0_bignum_export_unsigned(in, convbuf, sizeof(convbuf)) >= 0); @@ -531,7 +528,7 @@ fail: D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_fingerprint64_public_key(const d0_blind_id_t *ctx, char *outbuf, size_t *outbuflen) { d0_iobuf_t *out = NULL; - static __thread unsigned char convbuf[2048]; + unsigned char convbuf[2048]; d0_iobuf_t *conv = NULL; size_t sz, n; char shabuf[32]; @@ -625,7 +622,7 @@ fail: D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_generate_private_id_request(d0_blind_id_t *ctx, char *outbuf, size_t *outbuflen) { d0_iobuf_t *out = NULL; - static __thread unsigned char hashbuf[2048]; + unsigned char hashbuf[2048]; size_t sz; USINGTEMPS(); // temps: temp0 rsa_blind_signature_camouflage^challenge, temp1 (4^s)*rsa_blind_signature_camouflage^challenge @@ -639,11 +636,10 @@ D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_generate_private_id_request(d0_blind_i // we will actually sign HA(4^s) to prevent a malleability attack! LOCKTEMPS(); - CHECK(d0_bignum_mov(temp2, ctx->schnorr_g_to_s)); sz = (d0_bignum_size(ctx->rsa_n) + 7) / 8; // this is too long, so we have to take the value % rsa_n when "decrypting" if(sz > sizeof(hashbuf)) sz = sizeof(hashbuf); - CHECK(d0_longhash_bignum(temp2, hashbuf, sz)); + CHECK(d0_longhash_bignum(ctx->schnorr_g_to_s, hashbuf, sz)); CHECK(d0_bignum_import_unsigned(temp2, hashbuf, sz)); // hash complete @@ -824,7 +820,7 @@ D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_authenticate_with_private_id_start(d0_ // 1. get random r, send HASH(4^r) { d0_iobuf_t *out = NULL; - static __thread unsigned char convbuf[1024]; + unsigned char convbuf[1024]; d0_iobuf_t *conv = NULL; size_t sz = 0; D0_BOOL failed = 0; @@ -901,7 +897,7 @@ D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_authenticate_with_private_id_challenge { d0_iobuf_t *in = NULL; d0_iobuf_t *out = NULL; - static __thread unsigned char hashbuf[2048]; + unsigned char hashbuf[2048]; size_t sz; USINGTEMPS(); // temps: temp0 order, temp0 signature check @@ -939,26 +935,24 @@ D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_authenticate_with_private_id_challenge CHECK(d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, zero) >= 0); CHECK(d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, ctx->rsa_n) < 0); - // check signature of key (t = k^d, so, t^challenge = k) - LOCKTEMPS(); - CHECK(d0_bignum_mod_pow(temp0, ctx->schnorr_H_g_to_s_signature, ctx->rsa_e, ctx->rsa_n)); - - // we will actually sign SHA(4^s) to prevent a malleability attack! - CHECK(d0_bignum_mov(temp2, ctx->schnorr_g_to_s)); - sz = (d0_bignum_size(ctx->rsa_n) + 7) / 8; // this is too long, so we have to take the value % rsa_n when "decrypting" - if(sz > sizeof(hashbuf)) - sz = sizeof(hashbuf); - CHECK(d0_longhash_bignum(temp2, hashbuf, sz)); - CHECK(d0_bignum_import_unsigned(temp2, hashbuf, sz)); - - // + 7 / 8 is too large, so let's mod it - CHECK(d0_bignum_divmod(NULL, temp1, temp2, ctx->rsa_n)); - - // hash complete - if(d0_bignum_cmp(temp0, temp1)) + if(d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, zero)) { - // accept the key anyway, but mark as failed signature! will later return 0 in status - CHECK(d0_bignum_zero(ctx->schnorr_H_g_to_s_signature)); + // check signature of key (t = k^d, so, t^challenge = k) + LOCKTEMPS(); + CHECK(d0_bignum_mod_pow(temp0, ctx->schnorr_H_g_to_s_signature, ctx->rsa_e, ctx->rsa_n)); + + // we will actually sign SHA(4^s) to prevent a malleability attack! + sz = (d0_bignum_size(ctx->rsa_n) + 7) / 8; // this is too long, so we have to take the value % rsa_n when "decrypting" + if(sz > sizeof(hashbuf)) + sz = sizeof(hashbuf); + CHECK(d0_longhash_bignum(ctx->schnorr_g_to_s, hashbuf, sz)); + CHECK(d0_bignum_import_unsigned(temp2, hashbuf, sz)); + + // + 7 / 8 is too large, so let's mod it + CHECK(d0_bignum_divmod(NULL, temp1, temp2, ctx->rsa_n)); + + // hash complete + CHECK(d0_bignum_cmp(temp0, temp1) == 0); } } @@ -1053,7 +1047,7 @@ D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_authenticate_with_private_id_verify(d0 // (check using H(g^r) which we know) { d0_iobuf_t *in = NULL; - static __thread unsigned char convbuf[1024]; + unsigned char convbuf[1024]; d0_iobuf_t *conv = NULL; size_t sz; char shabuf[32]; @@ -1125,7 +1119,7 @@ fail: D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_authenticate_with_private_id_generate_missing_signature(d0_blind_id_t *ctx) { size_t sz; - static __thread unsigned char hashbuf[2048]; + unsigned char hashbuf[2048]; USINGTEMPS(); // temps: 2 hash REPLACING(schnorr_H_g_to_s_signature); @@ -1157,7 +1151,7 @@ D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_sign_with_private_id_sign_internal(d0_ { d0_iobuf_t *out = NULL; unsigned char *convbuf = NULL; - static __thread unsigned char hashbuf[2048]; + unsigned char hashbuf[2048]; d0_iobuf_t *conv = NULL; size_t sz = 0; @@ -1235,7 +1229,7 @@ D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_sign_with_private_id_verify_internal(d d0_iobuf_t *in = NULL; d0_iobuf_t *conv = NULL; unsigned char *convbuf = NULL; - static __thread unsigned char hashbuf[2048]; + unsigned char hashbuf[2048]; size_t sz; USINGTEMPS(); // temps: 0 sig^e 2 g^s 3 g^-s 4 order @@ -1350,7 +1344,7 @@ D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_sign_with_private_id_verify_detached(d D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_fingerprint64_public_id(const d0_blind_id_t *ctx, char *outbuf, size_t *outbuflen) { d0_iobuf_t *out = NULL; - static __thread unsigned char convbuf[1024]; + unsigned char convbuf[1024]; d0_iobuf_t *conv = NULL; size_t sz, n; char shabuf[32]; @@ -1401,6 +1395,63 @@ fail: return 0; } +D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_verify_public_id(const d0_blind_id_t *ctx, D0_BOOL *status) +{ + unsigned char hashbuf[2048]; + size_t sz; + + USINGTEMPS(); // temps: temp0 temp1 temp2 + USING(schnorr_H_g_to_s_signature); USING(rsa_e); USING(rsa_n); USING(schnorr_g_to_s); + + if(d0_bignum_cmp(ctx->schnorr_H_g_to_s_signature, zero)) + { + // check signature of key (t = k^d, so, t^challenge = k) + LOCKTEMPS(); + + CHECK(d0_bignum_mod_pow(temp0, ctx->schnorr_H_g_to_s_signature, ctx->rsa_e, ctx->rsa_n)); + + // we will actually sign SHA(4^s) to prevent a malleability attack! + sz = (d0_bignum_size(ctx->rsa_n) + 7) / 8; // this is too long, so we have to take the value % rsa_n when "decrypting" + if(sz > sizeof(hashbuf)) + sz = sizeof(hashbuf); + CHECK(d0_longhash_bignum(ctx->schnorr_g_to_s, hashbuf, sz)); + CHECK(d0_bignum_import_unsigned(temp2, hashbuf, sz)); + + // + 7 / 8 is too large, so let's mod it + CHECK(d0_bignum_divmod(NULL, temp1, temp2, ctx->rsa_n)); + + // hash complete + CHECK(d0_bignum_cmp(temp0, temp1) == 0); + + *status = 1; + } + else + *status = 0; + + UNLOCKTEMPS(); + return 1; + +fail: + UNLOCKTEMPS(); + return 0; +} + +D0_WARN_UNUSED_RESULT D0_BOOL d0_blind_id_verify_private_id(const d0_blind_id_t *ctx) +{ + USINGTEMPS(); // temps: temp0 = g^s + USING(schnorr_G); USING(schnorr_s); USING(schnorr_g_to_s); + + LOCKTEMPS(); + CHECK(d0_bignum_mod_pow(temp0, four, ctx->schnorr_s, ctx->schnorr_G)); + CHECK(!d0_bignum_cmp(temp0, ctx->schnorr_g_to_s)); + UNLOCKTEMPS(); + return 1; + +fail: + UNLOCKTEMPS(); + return 0; +} + d0_blind_id_t *d0_blind_id_new(void) { d0_blind_id_t *b = d0_malloc(sizeof(d0_blind_id_t));